Black Duck supports scanning images stored in the Amazon Elastic Container Registry (ECR). Image scan results are sent to your dedicated Black Duck instance providing vulnerability, license, and operational risk results on the open source software components identified in the ECR image.
There are two ways to scan container images in ECR:
These methods are described as follows:
Before you can scan images in ECR using Synopsys Detect, ensure that the following requirements are met:
To scan container images locally that are stored in ECR, follow these steps:
Authenticate with ECR. ECR uses authentication tokens that expire after 12 hours. The ecr get-login command generates a docker login command with authentication credentials.
aws ecr get-login --region region --no-include-email | sh |
Invoke Synopsys Detect, and configure at least the following:
bash <(curl -s https://detect.synopsys.com/detect.sh) \ --blackduck.url=<URL> \ --blackduck.api.token=<token> \ --detect.docker.image=<Image URI> \ --detect.project.name=<Project Name> |
Tip: Using the latest tag when specifying the image name allows triggering a re-scan when a new version of the image is pushed to the registry. To use this, ensure that an image with the latest tag exists in your registry. |